Data Breach at Neurological Clinic Highlights Threat Against Smaller Practices

Being a small or single-practice facility doesn't make you any less appealing as a target for cybercrime.

That’s the takeaway from the recent news of a malware attack at an Atlanta-based neurological clinic. Administrators there discovered while investigating a malware attack that the clinic unknowingly was the victim of another breach that went undetected for more than a year.

Peachtree Neurological Clinic broke the news to its patients earlier this week in a letter.

According to the clinic, its computers were recently hit with a ransomware attack that encrypted all its EHRs. The attacker then demanded money, which the clinic did not pay, to decrypt the files. Peachtree retrieved the patient data from backups and has since recovered from the attack. In the letter, the clinic’s administrator, Dr. Lawrence Seiden, M.D., says that subsequent scans revealed that the clinics computers are malware free.

However, the ensuing investigation showed that a second undetected breach had gone on from February 2016 to May 2017.

“We are not able to confirm which, if any, files or patient information was accessed by these unauthorized individuals,” the letter reads. It notes that the cyber criminals may have had access to names, addresses, phone numbers, social security numbers, dates of birth, driver’s license numbers, insurance information, as well as data on treatments or procedures.

The clinic says that the investigation continues and it has offered identity-theft monitoring to those affected.

Though hospitals and hospital systems were the predominant victims in the recent spate of headline-grabbing cyberattacks, the incident at Peachtree highlights how small- and single-practice facilities can also fall victim. At the recent American Academy of Orthodontics 2017 meeting in San Diego, Steve McEvoy, an IT consultant demonstrated the severity of the issue by focusing on one dental practice.

Logging into the system McEvoy uses to monitor security for his clients, he showed one practice that had successfully repelled 1,200 cyberattacks from Russia during one day. This was not, he said, an atypical example.

According to Pat Little, D.M.D., who runs a private security consulting firm for dental practices, the source of breaches in small-office settings are often easily correctable.

“It’s also amazing when I go into offices, just how many times I see open charts,” he said. “But even passwords that are stuck on sticky notes that are sitting right up on the monitor. Not secure at all,” he said.

Other common sources of breaches, he said, include removing unencrypted laptops from the office or backing up to external hard drives.

Our sister publication Dentist’s Money Digest® contributed to this report.

Related

How AI Could Thwart The Next Large-Scale Cyberattack

Google Finds Another Privacy Controversy in Healthcare

Cybersecurity: How the World Measures Up, Country by Country